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DETAILED ACTION 

1 . This Office Action is in response to the Request for Continued Examination filed 
2/7/07. Claims 1-20 are currently pending in the application. 

Claim Rejections • 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-4, 7-8, 10, and 15-20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Adrangi et al. (U.S. Application 10/323486) in view of Liu et al. (U.S. 
Publication US 2004/01 20295 A1 ). 

With respect to claim 1, Adrangi et al. discloses a system for providing secure 
mobile connectivity that implements Mobile IP Home Agent functionality via distributed 
components (See the abstract of Adrangi et al. for reference to a system providing 
secure mobile roaming using distributed components). Adrangi et al. also 
discloses a mobile node belonging to a home network located within a secure network 
with the mobile node having a network interface configured to communicate with other 
nodes (See page 2 paragraphs 20-22 and Figure 3 of Adrangi et al. for reference to 



Application/Control Number: 10/603,916 Page 3 

Art Unit: 2616 

a mobile node 140 having an interface to communicate with other nodes 
belonging to corporate intranet 100, which is a home network for mobile node 140 
and is also a secure network). Adrangi et al. further discloses that the mobile node 
has only one security association and only one mobility binding with a Home Agent for 
the Mobile IP Home Agent functionality (See page 3 paragraphs 23-28 and Figures 3- 
4 of Adrangi et al. for reference to a mobile node creating a single security 
association, an IPSec tunnel, with a VPN 225 and for reference to a mobile node 
having one mobility bind, the care-of address COAx, which is the mobile node's 
address on the external network). Adrangi et al. also discloses a Proxy Home Agent 
connected to the home network and located within the secure network wherein the PHA 
is configured to provide a proxying functionality (See page 2 paragraph 20, page 3 
paragraph 28, and Figures 3-5 of Adrangi et al. for reference to home agent 300, 
which is a Proxy Home Agent providing Mobile IP Home Agent functionality, 
located within the corporate intranet 100, and for reference to home agent 300 
performing a proxy functionality by determining that a mobile node is not in its 
home location and forwarding the packet to the VPN gateway 225 based on this 
determination). Adrangi et al. further discloses a Home Agent located outside of the 
secure network wherein the HA is configured to provide a signaling and tunneling 
functionality (See page 2 paragraph 20, page 3 paragraph 38 and Figures 3-5 of 
Adrangi et al. for reference to home agent 305, which provides Mobile IP Home 
Agent functionality, located outside the corporate intranet 100 and for reference 
to home agent 305 providing a signaling and tunneling functionality by tunneling 
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packets to a mobile node 140 based on the care-of address, COAx, of the mobile 
node). Adrangi et al. also discloses a VPN located outside the secure network and 
configured to work in conjunction with the HA (See page 2 paragraph 20 and Figure 3 
of Adrangi et al. for reference to VPN gateway 225 located outside the corporate 
intranet 100 and configured to work with the home agent 305). Adrangi et al. does 
not disclose that the HA is configured to notify the PHA of the mobile node. 

With respect to claim 15, Adrangi et al. discloses a method for secure 
communication (See the abstract of Adrangi et al. for reference to a method 
providing secure mobile roaming). Adrangi et al. also discloses a mobile node 
associated with a home network in a secure network and a corresponding node (See 
page 2 paragraphs 20-22 and Figure 3 of Adrangi et al. for reference to a mobile 
node 140 having an interface to communicate with other nodes, including CN 310, 
belonging to corporate intranet 100, which is a home network for mobile node 140 
and is also a secure network). Adrangi et al. further discloses establishing a Proxy 
Home Agent located within the secure network to monitor data directed to the mobile 
node (See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to 
home agent 300, which is a Proxy Home Agent providing Mobile IP Home Agent 
functionality, located within the corporate intranet 100). Adrangi et al. also 
discloses establishing a Home Agent configured to create only one security association 
with the mobile node and only one mobility binding with the mobile node (See page 2 
paragraph 20 and Figure 3 of Adrangi et al. for reference to home agent 305, 
which provides Mobile IP Home Agent functionality, located outside the corporate 
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intranet 100, for reference a mobile node creating a single security association, 
an IPSec tunnel, and for reference to a mobile node having one mobility bind, the 
care-of address COAx, which is the mobile node's address on the external 
network). Adrangi et al. further discloses collecting data directed to the mobile node 
(See page 2 paragraph 20 to page 3 paragraph 25 of Adrangi et al. for reference to 
both home agent 300 and home agent 305 being used to collect and route data 
directed to the mobile node 140). Adrangi et al. also discloses packaging the 
collected data in a VPN secure tunnel to an internal address of the mobile node to 
create VPN packaged data and tunneling the VPN packaged data to a current address 
of the mobile node (See page 3 paragraphs 26-28 and Figure 4 of Adrangi et al. for 
reference to using a VPN gateway 225 to package data in a secure VPN tunnel to 
an internal address of the mobile node 140 and tunneling the data to a care of 
address of the mobile node 140). Adrangi et al. does not disclose that the HA is 
configured to notify the PHA of the mobile node. 

With respect to claim 19, Adrangi et al. discloses a system for secure mobile 
connectivity that implements Mobile IP Home Agent functionality via distributed 
components (See the abstract of Adrangi et al. for reference to a system providing 
secure mobile roaming using distributed components). Adrangi et al. also 
discloses a means for establishing a Proxy Home Agent located within the secure 
network to monitor data directed to the mobile node (See page 2 paragraph 20 and 
Figure 3 of Adrangi et al. for reference to home agent 300, which is a Proxy Home 
Agent providing Mobile IP Home Agent functionality, located within corporate 
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intranet 100, which is a secure network). Adrangi et al. further discloses a means for 
establishing a Home Agent configured to create only one security association with the 
mobile node and oniy one mobility binding with the mobile node (See page 2 
paragraph 20 and Figure 3 of Adrangi et al. for reference to home agent 305, 
which provides Mobile IP Home Agent functionality, located outside the corporate 
intranet 100, for reference a mobile node creating a single security association, 
an IPSec tunnel, and for reference to a mobile node having one mobility bind, the 
care-of address COAx, which is the mobile node's address on the external 
network). Adrangi et al. also discloses a means for collecting data directed to the 
mobile node (See page 2 paragraph 20 to page 3 paragraph 25 of Adrangi et al. for 
reference to both home agent 300 and home agent 305 being used to collect and 
route data directed to the mobile node 140). Adrangi et al. further discloses a means 
for packaging the collected data in a VPN secure tunnel to an internal address of the 
mobile node to create VPN packaged data and a means for tunneling the VPN 
packaged data to a current address of the mobile node (See page 3 paragraphs 26-28 
and Figure 4 of Adrangi et al. for reference to using a VPN gateway 225 to 
package data in a secure VPN tunnel to an internal address of the mobile node 
140 and tunneling the data to a care of address of the mobile node 140). Adrangi 
et al. also discloses a means for the Home Agent to communicate to the PHA that the 
mobile node has either moved outside its home network or has come back to its home 
network (See pages 2-3 paragraphs 20-25 of Adrangi et al. for reference to the 
home agents 300 and 305 updating the current location of the mobile node 140 by 
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storing a current care of address of the mobile node that indicates the location of 
the node). Adrangi et al. further discloses a means for enabling the PHA to create and 
remove a proxy ARP entry for a permanent address associated with the mobile node 
(See page 3 paragraph 25 of Adrangi et al. for reference to home agent 300 
creating and removing care of address entries, which are proxy ARP entries for a 
permanent address associated with the mobile node 140). Adrangi et al. does not 
disclose that the HA is configured to notify the PHA of the mobile node. 

With respect to claims 1,15, and 19, Liu et al. ('295), in the field of 
communications, discloses a home agent that notifies a proxy home agent of a mobile 
node (See page 3 paragraphs 34-35 and Figure 1 A of Liu et al. ('295) for reference 
to a mobile connectivity system 100 that includes a mobile node 120, an MIP 
proxy 102, which acts as a home agent, and a home agent 112, which acts as a 
proxy home agent, and for reference to the MIP proxy 102 sending a registration 
request, which is a notification of the mobile node 120, on behalf of the mobile 
node 120 to the home agent 112). Having the HA configured to notify the PHA of the 
mobile node has the advantage of allowing a mobile node to roam from network to 
network without requiring the mobile node to set up a new security binding each time 
the mobile node changes networks (See page 5 paragraph 53 of Liu et al. ('295) for 
reference to this advantage as well as other advantages). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Liu et al. ('295), to combine having the HA 
configured to notify the PHA of the mobile node, as suggested by Liu et al. ('295), with 
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the system and method of Adrangi et al., with the motivation being to allow a mobile 
node to roam from network to network without requiring the mobile node to set up a new 
security binding each time the mobile node changes networks. 

With respect to claim 2, Adrangi et al. discloses that the VPN gateway and the 
HA are located within a single device within a DMZ (See page. 2 paragraph 20 and 
Figure 3 of Adrangi et al. for reference to home agent 305 and VPN gateway 225 
being located on a single processing device within a corporate DMZ 210). 

With respect to claim 3, Adrangi et al. discloses a firewall coupled to the secure 
network and the VPN gateway (See page 2 paragraph 20 and Figure 3 of Adrangi et 
al. for reference to inner firewall 15 and outer firewall 20 being couple to the 
corporate intranet 100 and the VPN gateway 225). 

With respect to claim 4, Adrangi et al. discloses that the HA is a separate 
devices from the VPN gateway (See page 2 paragraph 20 and Figure 3 of Adrangi et 
al. for reference to the home agent 305 being implemented on an independent 
processing device within corporate DMZ 210, meaning the home agent 305 is a 
separate device from VPN gateway 225). 

With respect to claim 7, Adrangi et al. discloses a DMZ comprising a first router 
coupled to a second router that is coupled to the firewall with the VPN gateway couple 
to the first router and the firewall and the HA coupled to the router (See page 2 
paragraph 20 of Adrangi et al. for reference to VPN gateway 225, which acts as a 
first router by routing packets, for reference to the VPN gateway 225 being 
coupled to the home agent 305, which acts as a second router by routing packets, 



Application/Control Number: 1 0/603,91 6 Page 9 

Art Unit: 2616 

and for reference to the VPN gateway 225 and the home agent 305 being coupled 
to firewalls 15 and 20). 

With respect to claim 8, Adrangi et al. discloses that packets from the MN 
destined towards nodes inside the secure network first go to the HA and then to the 
VPN gateway that is configured to forward the packets through the firewall to the secure 
network (See page 3 paragraph 27 and Figure 4 of Adrangi et al. for reference to 
packets sent from MN 140 to CN 310, which is a node inside of the corporate 
network 100, being first sent to home agent 305 and then to VPN gateway 225, 
which sends the packets through the firewall to CN 310). 

With respect to claim 10, Adrangi et al. discloses that a router is directly 
connected to a firewall and the VPN gateway and the HA are connected to a different 
interface of the router and the firewall (See page 2 paragraph 20, page 3 paragraph 
28, page 4 paragraph 32 and Figure 3 of Adrangi et al. for reference to home 
agents 305 and 300 both acting as routers to route packets between networks and 
for reference to VPN gateway 225 being connected to an inner firewall 15 and an 
outer firewall 20 and for reference to the VPN gateway 225 and the home agent 
305 being separate devices meaning that their connections to the firewalls 15 and 
20 are through separate interfaces). 

With respect to claim 16, Adrangi et al. discloses that the VPN secure tunnel 
follows the IP security protocol (See page 2 paragraph 22 of Adrangi et al. for 
reference to using IPSec protocol). 
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With respect to claim 17, Adrangi et al. discloses that the tunneling of the VPN 
packaged data to the external mobile node occurs according to the IP mobility protocol 
(See page 1 paragraph 3 of Adrangi et al. for reference to using mobile IP 
standards). 

With respect to claim 18, Adrangi et al. discloses packaging the collected data 
in an IP-in-IP tunnel and sending it to a VPN device for VPN encryption and tunneling 
the VPN packaged data to the current address of the mobile node (See page 4 
paragraph 29 and Figure 6 of Adrangi et al. for reference to packaging the data in 
an IP-in-IP tunnel and sending it to a VPN gateway 225 for VPN encryption before 
sending the packet to the care of address of the mobile node). 

With respect to claim 20, Adrangi et al. discloses a computer software product 
comprising instruction that cause an electronic device to perform the actions of Claim 15 
(See page 4 paragraphs 33-34 of Adrangi et al. for reference to the devices of the 
system of Adrangi et al. being embodied as data processing devices including 
software comprising instructions that the devices of the system use to perform 
the method of Adrangi et al.). 

4. Claims 5, 9, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Adrangi et al. in view of Liu et al. ('295) and in further view of Liu et al. (U.S. 
Publication US 2003/0212900 A1). 

With respect to claim 5, Adrangi et al. discloses a DMZ located outside the 
secure network wherein the VPN gateway and the HA reside in the DMZ (See page 2 
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paragraph 20 and Figure 3 of Adrangi et al. for reference to corporate DMZ 210 
that is located outside the secure network and includes the VPN gateway 225 and 
home agent 305). Adrangi et al. also discloses a first firewall between the secure 
network and the DMZ and a second firewall between the DMZ and an external network 
(See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to inner 
firewall 15, which is a first firewall located between the corporate intranet 100 and 
the DMZ 210, and for reference to outer firewall 20, which is a second firewall 
located between the DMZ 210 and an external network 205). Adrangi et al. also 
discloses that the mobile node has a permanent address in a known range (See page 1 
paragraph 12 of Adrangi et al. for reference to a mobile node 140 having a 
permanent address that all data directed towards the mobile node is addressed to 
and for reference to a home agent intercepting and rerouting data to a care of 
address of the mobile node when the mobile node has exited its home network). 
The combination of Adrangi et al. and Liu et al. ('295) does not specifically disclose that 
the firewall is configured to deny communications from the external network with a 
source address in a known range. 

With respect to claim 9, the combination of Adrangi et al. and Liu et al. ('295) 
does not disclose a firewall dropping packets having a source address in a known 
range. 

With respect to claim 14, Adrangi et al. discloses a firewall coupled to the 
secure network and the VPN gateway (See page 2 paragraph 20 of Adrangi et al. for 
reference to inner firewall 15 coupled to both the corporate intranet 100 and the 
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VPN gateway 225). The combination of Adrangi et al. and Liu et al. ('295) does not 
disclose dropping packets having a source address in a known range. 

With respect to claims 5, 9, and 14, Liu et al. ('900), in the field of 
communications, discloses a firewall dropping packets having a source address in a 
known range (See page 2 paragraph 19 of Liu et al. for reference to maintaining an 
ALC table 104 that is used to store address and ranges of address and a field 
indicating that the address or range of address should be dropped by a firewall). 
Using a firewall that drops packets having a source address in a known range has the 
advantage of allowing better control of the packets that are allowed to enter a secure 
network to protect against malicious packets. 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Liu et al. ('900), to combine using a firewall 
that drops packets having a source address in a known range, as suggested by Liu et 
al. ('900), with the system and method of Adrangi et al. and Liu et al. ('295), with the 
motivation being to allow better control of the packets that are allowed to enter a secure 
network to protect against malicious packets. 

5. Claims 6 and 11-13 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Adrangi et al. in view of Liu et al. ('295) and Liu et al. ('900) as applied to claims 5, 
9, and 14 above, and further in view of Mikkonen (U.S. Application 10/185714). 

With respect to claim 6, Adrangi et al. discloses a DMZ located outside the 
secure network wherein the VPN gateway and the HA reside in the DMZ (See page 2 
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paragraph 20 and Figure 3 of Adrangi et al. for reference to corporate DMZ 210 
that is located outside the secure network and includes the VPN gateway 225 and 
home agent 305). Adrangi et al. also discloses a first firewall between the secure 
network and the DMZ and a second firewall between the DMZ and an external network 
(See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to inner 
firewall 15, which is a first firewall located between the corporate intranet 100 and 
the DMZ 210, and for reference to outer firewall 20, which is a second firewall 
located between the DMZ 210 and an external network 205). Adrangi et al. further 
discloses that the mobile node has a permanent address in a known range (See page 1 
paragraph 12 of Adrangi et al. for reference to a mobile node 140 having a 
permanent address that all data directed towards the mobile node is addressed to 
and for reference to a home agent intercepting and rerouting data to a care of 
address of the mobile node when the mobile node has exited its home network). 
Liu et al. ('900) discloses a firewall dropping packets having a source address in a 
known range (See page 2 paragraph 19 of Liu et al. for reference to maintaining an 
ALC table 104 that is used to store address and ranges of address and a field 
indicating that the address or range of address should be dropped by a firewall). 
The combination of Adrangi et al., Liu et al. ('900), and Liu et al. ('295) does not disclose 
that the VPN gateway has a direct connection to an internal interface of the first firewall. 

With respect to claim 11, Liu et al. ('900) discloses a firewall dropping packets 
having a source address in a known range (See page 2 paragraph 19 of Liu et al. for 
reference to maintaining an ALC table 104 that is used to store address and 



Application/Control Number: 10/603,916 Page 14 

Art Unit: 2616 

ranges of address and a field indicating that the address or range of address 
should be dropped by a firewall). The combination of Adrangi et al., Liu et al. ('900), 
and Liu et al. ('295) does not disclose that the VPN gateway has a direct connection to 
an internal interface of the first firewall. 

With respect to claims 6 and 11, Mikkonen, in the field of communications, 
discloses a firewall with an internal interface to a VPN gateway (See page 2 paragraph 
18 of Mikkonen for reference to a firewall 100 that also is used to operate as a 
VPN gateway meaning that since the firewall and gateway functions are 
performed in the same device, that they must have an internal interface with each 
other). Using a firewall with an internal connection to a VPN gateway has the 
advantage of allowing the operation of the firewall and VPN gateway to be better 
integrated so that secure packets received by the VPN gateway can be better filtered by 
the firewall. 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Mikkonen, to combine using a firewall with 
an internal interface to a VPN gateway, as suggested by Mikkonen, with the system and 
method of Adrangi et al., Liu et al. ('900), and Liu et al. ('295), with the motivation being 
to allow the operation of the firewall and VPN gateway to be better integrated so that 
secure packets received by the VPN gateway can be better filtered by the firewall. 

With respect to claim 12, Liu et al. ('900) discloses forwarding and decrypting 
packets, or otherwise dropping packets, according to a security association that exists 
(See page 2 paragraph 19 of Liu et al. for reference to using a table 104 to decide 
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which packets to forward and which packets to drop according to a security 
payload index). 

With respect to claim 13, Adrangi et al. discloses that packets from the MN 
destined towards nodes inside the secure network first go to the HA and then to the 
VPN gateway that is configured to forward the packets through the firewall to the secure 
network (See page 3 paragraph 27 and Figure 4 of Adrangi et al. for reference to 
packets sent from MN 140 to CN 310, which is a node inside of the corporate 
network 100, being first sent to home agent 305 and then to VPN gateway 225, 
which sends the packets through the firewall to CN 310). 

Response to Arguments 

6. Applicant's arguments filed 12/7/06 have been fully considered but they are not 

persuasive. 

Regarding Applicant's argument that: 

"Adrangi does not teach or suggest, at least, "the mobile node having only 
one security association and only one mobility binding with a Home 
Agent (HA) for the Mobile IP Home Agent functionality," emphasis added, 
as recited in independent claim 1. Instead, Adrangi discloses multiple 
possible mobility bindings (e.g. COAx and COAT) with the Home Agent for 
the Mobile IP home agent." (See page 12 of Applicant's Remarks) 



Application/Control Number: 1 0/603,91 6 Page 1 6 

Art Unit: 2616 

the Examiner respectfully disagrees. Adrangi et al. discloses mobile nodes using of a 
"care-of address (COA) when roaming from one network to another. While it is true 
that the COA of a mobile node may change during roaming, there is only one COA used 
for a mobile node at any one time. Therefore, the current COA of a mobile node is the 
one and only one mobility binding used with a home agent of the mobile node at any 
given time. Therefore, Adrangi et al. does disclose the mobile node having only one 
security association and only one mobility binding with a Home Agent (HA) for the 
Mobile IP Home Agent functionality, as claimed. 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Nilsen et al. (U.S. Publication US 2004/0078600) discloses 
another system and method using a hatched home agent 120, acting as a home agent, 
and a home agent 130, acting as a proxy home agent, to securely send packets from a 
mobile located outside of a secure network using a VPN tunnel. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jason E. Mattis whose telephone number is (571) 272- 
3154. The examiner can normally be reached on M-F 8AM-5:30PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Huy Vu can be reached on (571 ) 272-31 55. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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